Re: Failure to Authenticate from time to time

Brian Matheson (bmath@sirius.com)
Tue, 12 Nov 1996 11:32:10 -0800

This sounds like a problem that we had a while back. You might check
the logfile in your raddb directory for requester mismatch errors. We
had a bunch of these. We rebuilt the clients file using ip addresses
instead of names, and haven't had an instance of it since.

Thu Oct 17 12:59:41 1996: requester address mismatch: 0.0.0.0 != portmaster.domain.com
Thu Oct 17 12:59:41 1996: Authenticate: from portmaster.domain.com - Security Breach: username

Every once in a while we'd get a complaint that someone wasn't able to
authenticate even though their username and password were correct.
Then we discovered it was happening in spurts, not letting anyone in
for ten minutes or so and then suddenly working normally. Since it
only lasted for such a short time, we had never noticed it before.

We use two NeXT slabs running NetInfo for Radius authentication.
They're both dedicated to that, and not doing anything else (waste of
good cpu cycles, I know, but it sure does make things easier to fix
:^). The redundancy didn't help at all in this situation, it happened
at the same time on each machine. This is what lead me to believe
that it was a name lookup problem. The puzzler then is that nslookup
gave me correct ip addresses while all of this was going on.

We're still not sure whether it had to do with the Nexts' netinfo
database interfering with DNS lookup, or something silly like that.
But, if Drew's problem is related to the one I just described, then it
sounds like it's a problem that should be addressed. Perhaps radius
caches name lookups that it does on the clients file? I don't really
know.

Megazone?

Mike Taylor writes:
> On Mon, 11 Nov 1996, Drew C Morone wrote:
>
> > For some reason radius will fail to authenticate a user when (s)he dials
> > in. This has actually happened to me a few times. There doesn't seem to
> > be any reason, however it seems to happen at high volume times, and more
> > on one PM than another (this may be due to the fact that -this- PM is
> > located at the end of the hunt, thus only really active during peak times).
> >
> > I am running Radius 1.16 on a FreeBSD system. Any advice?
> >
> Run dual radius servers, on the first half of your pool set server A as the
> primary and on the last half set server b as the primary.
>
> \\|// ^^^^^ )))(( %%%%% ,,,,,
> (- -) (o o) (- o) (0-0) (* *)
> +--ooO-(_)-Ooo--oo0-(_)-0oo--ooO-(_)-Ooo--oo0-(_)-0oo--ooO-(_)-Ooo--+
> | NETWORK OPERATIONS CENTER |
> | mailto:support@friendly.jeffnet.org Voice # 800-876-8797 |
> | http://jeffnet.org/linuxisp 541-776-3283 |
> | Mike Taylor - Network Services Manager |
> +-------------------------------------------------------------------+
>
> ------------------------------